chore: sync with latest template state

.github/CODEOWNERS

@@ -4,4 +4,4 @@
 # Order is important: the last matching pattern takes the most precedence
 
 # These owners will be the default owners for everything
-*             @masterpointio/masterpoint-open-source
+*             @masterpointio/masterpoint-open-source

.github/workflows/lint.yaml

@@ -4,7 +4,7 @@ concurrency:
   group: lint-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
-on: pull_request
+on: pull_request_target
 
 permissions:
   actions: read
@@ -20,6 +20,10 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Trunk Check
         uses: trunk-io/trunk-action@4d5ecc89b2691705fd08c747c78652d2fc806a94 # v1.1.19
+        env:
+          # NOTE: inject the GITHUB_TOKEN for the trunk managed tflint linter
+          # https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
   conventional-title:
     runs-on: ubuntu-latest

.github/workflows/release-please.yaml

@@ -14,6 +14,14 @@ jobs:
   release-please:
     runs-on: ubuntu-latest
     steps:
+      - name: Create Token for MasterpointBot App
+        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a #v2.1.0
+        id: generate-token
+        with:
+          app_id: ${{ secrets.MP_BOT_APP_ID }}
+          private_key: ${{ secrets.MP_BOT_APP_PRIVATE_KEY }}
+
       - uses: googleapis/release-please-action@7987652d64b4581673a76e33ad5e98e3dd56832f #v4.1.3
         with:
+          token: ${{ steps.generate-token.outputs.token }}
           release-type: terraform-module

.github/workflows/test.yaml

@@ -4,7 +4,7 @@ on:
   push:
     branches:
       - main
-  pull_request:
+  pull_request_target:
 
 permissions:
   actions: read

.github/workflows/trunk-upgrade.yaml

@@ -19,25 +19,10 @@ jobs:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-      - name: Create Token for MasterpointBot App
-        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a #v2.1.0
-        id: generate-token
+      - name: Run Trunk Upgrade
+        uses: masterpointio/[email protected]
         with:
-          app_id: ${{ secrets.MP_BOT_APP_ID }}
-          private_key: ${{ secrets.MP_BOT_APP_PRIVATE_KEY }}
-
-      - name: Upgrade
-        id: trunk-upgrade
-        uses: trunk-io/trunk-action/upgrade@4d5ecc89b2691705fd08c747c78652d2fc806a94 # v1.1.19
-        with:
-          github-token: ${{ steps.generate-token.outputs.token }}
-          reviewers: "@masterpointio/masterpoint-internal"
-          prefix: "chore: "
-
-      - name: Merge PR automatically
-        if: steps.trunk-upgrade.outputs.pull-request-number != ''
-        env:
-          GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
-          PR_NUMBER: ${{ steps.trunk-upgrade.outputs.pull-request-number }}
-        run: |
-          gh pr merge "$PR_NUMBER" --squash --auto --delete-branch
+          app-id: ${{ secrets.MP_BOT_APP_ID }}
+          app-private-key: ${{ secrets.MP_BOT_APP_PRIVATE_KEY }}
+          github-token: ${{ secrets.MASTERPOINT_TEAM_PAT }}
+          reviewers: "@masterpointio/masterpoint-open-source"

.gitignore

@@ -16,6 +16,7 @@
 # IDE/Editor settings
 **/.idea
 **/*.iml
+.cursor/
 .vscode/
 *.orig
 *.draft
@@ -39,13 +40,13 @@ backend.tf.json
 
 # Other
 **/*.backup
-***/*.tmp
+**/*.tmp
 **/*.temp
 **/*.bak
 **/*.*swp
 **/.DS_Store
 
-.cursor/
-
-.claude/
+# AI code gen tools - we beleive engineers are responsible for the code they push no matter how it's generated
+.claude/*
+.cursor/*
 CLAUDE.md

.tflint.hcl

@@ -0,0 +1,42 @@
+plugin "terraform" {
+  enabled = true
+  preset  = "all"
+}
+
+config {
+  format = "compact"
+
+  # Inspect vars passed into "module" blocks. eg, lint AMI value passed into ec2 module.
+  # https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/calling-modules.md
+  call_module_type = "all"
+
+  # default values but keeping them here for clarity
+  disabled_by_default = false
+  force = false
+}
+
+# Installing tflint rulesets from Github requires setting a GITHUB_TOKEN
+# environment variable. Without it, you'll get an error like this:
+#   $ tflint --init
+#   Installing "aws" plugin...
+#   Failed to install a plugin; Failed to fetch GitHub releases: GET https://api.github.com/repos/terraform-linters/tflint-ruleset-aws/releases/tags/v0.39.0: 401 Bad credentials []
+#
+# The solution is to provide a github PAT via a GITHUB_TOKEN env var,
+# export GITHUB_TOKEN=github_pat_120abc123def456ghi789jkl123mno456pqr789stu123vwx456yz789
+#
+# See docs for more info: https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting
+plugin "aws" {
+  enabled = true
+  version = "0.39.0"
+  source  = "github.com/terraform-linters/tflint-ruleset-aws"
+  deep_check = false
+}
+
+# Allow variables to exist in more files than ONLY variables.tf
+# Example use cases where we prefer for variables to exist in context,
+# - context.tf (applicable to the null-label module)
+# - providers.tf (when passing in secret keys from SOPs - example, github provider)
+# https://github.com/terraform-linters/tflint-ruleset-terraform/blob/main/docs/rules/terraform_standard_module_structure.md
+rule "terraform_standard_module_structure" {
+  enabled = false
+}

.trunk/.gitignore

@@ -6,4 +6,4 @@
 plugins
 user_trunk.yaml
 user.yaml
-tmp
+tmp

.trunk/trunk.yaml

@@ -7,7 +7,7 @@ cli:
 plugins:
   sources:
     - id: trunk
-      ref: v1.7.1
+      ref: v1.7.0
       uri: https://github.com/trunk-io/plugins
 # Many linters and tools depend on runtimes - configure them here. (https://docs.trunk.io/runtimes)
 runtimes: